DWF Labs is under scrutiny following allegations of a $44 million hack. The sophisticated attack, reported by a popular onchain sleuth, is attributed to the North Korean group AppleJeus. The incident was reportedly concealed from public view until recent disclosures by blockchain analysts and cybersecurity researchers.
Timeline of Attack on DWF Labs
The compromise occurred in September 2022, and the threat actor AppleJeus, associated with the DPRK, exploited vulnerabilities in DWF Labs’ security and drained assets from one of their key addresses over several hours.
The stolen funds consisted primarily of USDC and USDT stablecoins, with an aggregate loss exceeding $44 million. Attackers leveraged private keys and account credentials to move assets into their control, undetected until significant losses had already occurred.
After emptying the affected wallet, the hackers transferred the assets to centralized exchanges and then converted them into Bitcoin using the Ren Protocol bridge. The laundering process continued with the assets routed through Mixero, a Bitcoin mixer, to obscure their origin.
On-chain researcher tanuki42 identified the compromised address’s interactions with known partners of DWF Labs, including Yield Guild Games and MagnifyCash. These address connections reinforced the link between the hacked wallet and the market maker.
Despite signs of unauthorized withdrawals, DWF Labs reportedly made no successful attempts to halt the draining of funds. The attack lasted more than 5 hours, with no public disclosure from DWF Labs, leading to further speculation about internal security measures and transparency practices.
What the Attack Means for the Crypto Industry
The laundering methods are consistent with previous breaches by AppleJeus, including hacks targeting Deribit, Tower Capital, and Radiant. Industry analysts drew parallels across bridge, mixer, and transaction strategies, as well as the prolonged dormancy of stolen assets before their recent mobilization.
As of November 2025, approximately $30 million in stolen assets remains unmoved, while the remainder continues to be laundered. Prominent on-chain investigators, including ZachXBT and TRM Labs, are assisting with the ongoing analysis and have publicly commented on the likelihood that DWF Labs concealed the hack.
The implications extend beyond DWF Labs, as the event reflects continuing vulnerabilities in crypto asset management and the sector’s susceptibility to nation-state attacks by threat actors with advanced resources. The breach coincides with other high-profile DeFi security failures, adding to wider worries about protocol risk and market trust.
READ MORE: Top Crypto to Watch This Week: XRP, Chainlink, Pi Network
